Fix scope for roles

This might not really be necessary but a good check
2026-05-22 00:03:07 +00:00 · 2022-03-14 11:47:03 +05:30
parent 8184c23a8f
commit 3aedac3201
4 changed files with 25 additions and 7 deletions
--- a/pkg/service/role.go
+++ b/pkg/service/role.go
@@ -3,6 +3,7 @@ package service
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"

 	"github.com/RafaySystems/rcloud-base/internal/dao"
@@ -138,6 +139,14 @@ func (s *roleService) Create(ctx context.Context, role *rolev3.Role) (*rolev3.Ro
 		return nil, fmt.Errorf("role '%v' already exists", role.GetMetadata().GetName())
 	}

+	scope := role.GetSpec().GetScope()
+	// since this is purely additional metadata at this point, we
+	// can kinda treat it as optional, and so we are allowing empty
+	// TODO: check if "" is valid
+	if !contains([]string{"system", "organization", "project", ""}, strings.ToLower(scope)) {
+		return nil, fmt.Errorf("unknown scope '%v'", scope)
+	}
+
 	// convert v3 spec to internal models
 	rle := models.Role{
 		Name:           role.GetMetadata().GetName(),
@@ -148,7 +157,7 @@ func (s *roleService) Create(ctx context.Context, role *rolev3.Role) (*rolev3.Ro
 		OrganizationId: organizationId,
 		PartnerId:      partnerId,
 		IsGlobal:       role.GetSpec().GetIsGlobal(),
-		Scope:          role.GetSpec().GetScope(), // TODO: validate scope is SYSTEM/ORG/PROJECT?
+		Scope:          strings.ToLower(scope),
 	}
 	entity, err := s.dao.Create(ctx, &rle)
 	if err != nil {
--- a/pkg/service/role_test.go
+++ b/pkg/service/role_test.go
@@ -71,7 +71,7 @@ func TestCreateRole(t *testing.T) {

 	role := &rolev3.Role{
 		Metadata: &v3.Metadata{Partner: "partner-" + puuid, Organization: "org-" + ouuid, Name: "role-" + ruuid},
-		Spec:     &rolev3.RoleSpec{IsGlobal: true, Scope: "cluster"},
+		Spec:     &rolev3.RoleSpec{IsGlobal: true, Scope: "system"},
 	}
 	role, err := rs.Create(context.Background(), role)
 	if err != nil {
@@ -107,7 +107,7 @@ func TestCreateRoleWithPermissions(t *testing.T) {

 	role := &rolev3.Role{
 		Metadata: &v3.Metadata{Partner: "partner-" + puuid, Organization: "org-" + ouuid, Name: "role-" + ruuid},
-		Spec:     &rolev3.RoleSpec{IsGlobal: true, Scope: "cluster", Rolepermissions: []string{"ops_star.all"}},
+		Spec:     &rolev3.RoleSpec{IsGlobal: true, Scope: "system", Rolepermissions: []string{"ops_star.all"}},
 	}
 	role, err := rs.Create(context.Background(), role)
 	if err != nil {
@@ -141,7 +141,7 @@ func TestCreateRoleDuplicate(t *testing.T) {

 	role := &rolev3.Role{
 		Metadata: &v3.Metadata{Partner: "partner-" + puuid, Organization: "org-" + ouuid, Name: "role-" + ruuid},
-		Spec:     &rolev3.RoleSpec{IsGlobal: true, Scope: "cluster"},
+		Spec:     &rolev3.RoleSpec{IsGlobal: true, Scope: "system"},
 	}
 	_, err := rs.Create(context.Background(), role)
 	if err == nil {
@@ -168,7 +168,7 @@ func TestUpdateRole(t *testing.T) {
 	mock.ExpectQuery(`SELECT "resourcerole"."id", "resourcerole"."name", .*FROM "authsrv_resourcerole" AS "resourcerole" WHERE .organization_id = '` + ouuid + `'. AND .partner_id = '` + puuid + `'. AND .name = 'role-` + ruuid + `'.`).
 		WithArgs().WillReturnRows(sqlmock.NewRows([]string{"id", "name", "organization_id", "partner_id"}).AddRow(ruuid, "role-"+ruuid, ouuid, puuid))

-	mock.ExpectExec(`UPDATE "authsrv_resourcerole" AS "resourcerole" SET "name" = 'role-` + ruuid + `', .*"organization_id" = '` + ouuid + `', "partner_id" = '` + puuid + `', "is_global" = TRUE, "scope" = 'cluster' WHERE .id  = '` + ruuid + `'.`).
+	mock.ExpectExec(`UPDATE "authsrv_resourcerole" AS "resourcerole" SET "name" = 'role-` + ruuid + `', .*"organization_id" = '` + ouuid + `', "partner_id" = '` + puuid + `', "is_global" = TRUE, "scope" = 'system' WHERE .id  = '` + ruuid + `'.`).
 		WillReturnResult(sqlmock.NewResult(1, 1))
 	mock.ExpectExec(`DELETE FROM "authsrv_resourcerolepermission" AS "resourcerolepermission" WHERE ."resource_role_id" = '` + ruuid + `'.`).
 		WillReturnResult(sqlmock.NewResult(1, 1))
@@ -180,7 +180,7 @@ func TestUpdateRole(t *testing.T) {

 	role := &rolev3.Role{
 		Metadata: &v3.Metadata{Partner: "partner-" + puuid, Organization: "org-" + ouuid, Name: "role-" + ruuid},
-		Spec:     &rolev3.RoleSpec{IsGlobal: true, Scope: "cluster", Rolepermissions: []string{"ops_star.all"}},
+		Spec:     &rolev3.RoleSpec{IsGlobal: true, Scope: "system", Rolepermissions: []string{"ops_star.all"}},
 	}
 	role, err := rs.Update(context.Background(), role)
 	if err != nil {
--- a/pkg/service/utils.go
+++ b/pkg/service/utils.go
@@ -11,3 +11,12 @@ func unique(items []string) []string {
 	}
 	return list
 }
+
+func contains(s []string, str string) bool {
+	for _, v := range s {
+		if v == str {
+			return true
+		}
+	}
+	return false
+}